Agency breaches are down, but exposed records are way up

By William Jackson

Sep 10, 2012

The number of data breaches reported by agencies over the last three years is trending downward, but the amount of personal information being exposed continues to increase, according to an analysis by the security intelligence firm Rapid7.

Agencies are doing a good job of addressing the simple problems, such as protecting mobile devices from loss or theft and securing the data on them with-full disk encryption, said security researcher Marcus Carey.

“I think the government is getting rid of the low-hanging fruit,” he said. But the thornier problems of hacking and human error remain. “We still see people getting compromised by hacking and malware.”

After a spike of 102 reported government data breach incidents in 2010, the number dropped to 82 in 2011 and through May of this year just 31 breaches had been reported. But the number of records exposed has grown sharply over that time, from 1.5 million 2010 to 4 million in 2011, and up to 9.6 million through May of this year.

The figures are taken from the Privacy Rights Clearinghouse, which gathers information from reported incidents in its Chronology of Data Breaches.

The Rapid7 analysis comes with several caveats, Carey said. Associating the number of breaches with the number of records exposed is dicey, because of the high impact of some incidents. For instance, 2009 had the lowest number of reported incidents with just 53, but the 79 million records exposed that year dwarfed the total of the next three years combined mostly because of one incident -- a hard drive that was sent by the Veterans Affairs Department to a vendor for repair and recycling before 76 million personal records had been erased.

“One breach might net tons of records,” Carey said. “There is no real way to correlate” the number of breaches and their impact over time.

Secondly, data breach reports are not reliable. “This is the tip of the iceberg,” Carey said. Despite legal and regulatory reporting requirements, many incidents are not reported because of a lack of enforcement and because the threshold for reporting is not clear. “In reality there are a lot more we don’t know about,” he said.

With these limitations in mind, the threat to government remains apparent because of the amount of data it holds and the continuing vulnerability of its IT systems. The population most at risk from these breaches appears to be veterans. From 2009 through May 2012, 14 incidents were reported involving more than 76.2 million veterans’ records. The bulk of these were from the 2009 incident, but veteran records frequently appear in other incidents.

Although the loss of physical records and of portable devices is declining as a source of breaches, unintended disclosure of records -- human error -- continues to dominate as a source of losses, along with malware and hacking. Malware often is effective because of the difficulty of patching vulnerabilities in many government systems, Carey said.

“A lot of agencies can’t patch in a timely manner,” he said. This often is because priority is given to uptime and availability of systems over data security. “You can’t patch it because it can take a system down. You always err on the side of being able to do the mission. If the system can’t be patched it is going to be compromised.”

To counter this problem more critical and sensitive government systems are being isolated on subnets that can be better protected at the perimeter. But agencies still are not demanding enough security from vendors, Carey said. Because of the difficulty of timely patching and updating and the long lead time in developing, procuring and deploying systems, agencies need to ensure that systems are as secure as possible at the time they are deployed.

Carey said developers, both in the private sector and government, need to be more actively involved in open-source programs that maintain commonly used software. Open-source libraries often are used in developing tools and need to be actively supported by users to ensure that the software remains up-to-date and as secure as possible.